In today’s email ecosystem, ensuring your messages are authenticated and trusted by recipients isn’t just a nice-to-have — it’s essential. Every day, millions of emails are sent for marketing, notifications, and transactional purposes. But without proper authentication, your carefully crafted messages could land in spam folders — or worse, be blocked entirely. At AutoSPF, we care deeply about email deliverability and sender reputation.
In this comprehensive guide, we’ll walk you through setting up DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) records for FreshMail, one of the most popular email marketing platforms.
Whether you’re a seasoned email administrator, a technical marketer, or someone just getting started with email authentication, you’ll find detailed steps and practical insights here. By the end of this guide, you’ll have a clear understanding of what these protocols do, why they matter, and how to correctly configure them for FreshMail.
Why DKIM and SPF Matter for Email Deliverability
SPF — Ensuring Your Domain Sends Only Authorized Emails
SPF (Sender Policy Framework) is a DNS-based authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a receiving mail server gets an email, it looks up the SPF record in DNS to see if the sending server is on the allowed list. If it is — great. If not, the email may be marked as spam or rejected.
This helps prevent spoofing — a technique attackers use to send emails that appear to come from your domain. Proper SPF configuration significantly improves your domain’s reputation and helps inbox providers trust your mail.
DKIM — Cryptographically Signing Your Messages
While SPF verifies who sends email from your domain, DKIM verifies what is sent. DKIM uses public-key cryptography where outgoing messages are signed with a private key, and the corresponding public key is published in your DNS record. When the receiving server gets the message, it can use the public key to validate that:
- The email actually came from a server authorized by your domain, and
- The message content hasn’t been tampered with in transit.
Together, SPF and DKIM form a strong foundation for email trust.
Overview of FreshMail and Why Authentication Is Important
FreshMail is an email marketing platform that allows businesses to design and send newsletters, promotional campaigns, and other email communications. Like all major email service providers (ESPs), FreshMail sends email on behalf of its users. But to ensure the best possible inbox deliverability and compliance with modern email authentication standards (including DMARC), it’s critical to set up both SPF and DKIM.
Although FreshMail supports DKIM verification via CNAME records, and you can authorize their servers to send mail on your behalf with SPF, FreshMail’s current system doesn’t allow strict SPF alignment — meaning SPF may authorize the mail, but it might not pass DMARC alignment checks. We explain this further below.
Step-by-Step: Setting Up DKIM for FreshMail
Setting up DKIM is the most important and most effective step you can take for email authentication on FreshMail. Here’s how to do it:
1. Log In to Your FreshMail Account
Start by signing in to your FreshMail dashboard. This is where you manage your email campaigns and domain settings.
2. Access Your Profile Settings
Once logged in, click on your profile icon (usually located in the top right corner). From the dropdown menu, select Settings. This brings you to your account’s main configuration panel.
3. Navigate to DKIM Verification
Within Settings, look for a section labeled DKIM Verification — this is where you authenticate a new domain. This setting ensures that FreshMail’s servers are allowed to sign messages using your domain’s DKIM key.
4. Add Your Domain
In the “Authenticate new domain” section, type in the domain you plan to send email from (for example: yourdomain.com), and click Add.
FreshMail will generate a unique CNAME record specifically for your domain. This is the record that you will add to your DNS host’s configuration.
5. Copy the CNAME Hostname and Value
Once FreshMail provides the CNAME details, copy both the Hostname/Name and the Value/Target exactly as shown. These two elements are essential — if they’re typed incorrectly in your DNS, DKIM won’t function.
6. Add the DKIM Record in Your DNS Host
Now, open the DNS provider where your domain is hosted (e.g., Cloudflare, GoDaddy, AWS Route 53, etc.).
Here’s what to do:
- Add a new DNS record
- Record Type: CNAME
- Name/Hostname: Paste the Hostname provided by FreshMail
- Value/Target: Paste the corresponding value
-
TTL: Use the default (or a lower TTL if you want quicker propagation)
⚠️ Important: If you’re using Cloudflare, make sure the proxy status is turned OFF (i.e., DNS only). Cloudflare’s proxy interferes with CNAME resolution for DKIM and can prevent it from validating.
Save the record and allow time for DNS propagation — often up to 24 hours, though many providers update much faster.
7. Confirm Your Domain Is Verified
After propagation, return to FreshMail. The system should confirm that your domain has been successfully verified. This means FreshMail can now cryptographically sign outgoing messages using your domain’s DKIM key.
Once DKIM is in place and verified, mail receivers like Gmail, Yahoo, and corporate mail servers will be able to validate your emails with a high degree of trust.
Step-by-Step: Setting Up SPF for FreshMail
Now that DKIM is in place, let’s add SPF. SPF tells the world which mail servers are authorized to send mail on behalf of your domain. For FreshMail, this means authorizing FreshMail’s servers.
1. Understand FreshMail’s SPF Requirement
According to FreshMail’s support documentation, you can authorize their sending servers by adding an include statement in your domain’s SPF record. The specific include is:
include:_spf.freshmail.pl
By including this in your SPF record, you explicitly allow FreshMail’s mail servers to send mail on behalf of your domain.
2. Locate or Create Your Domain’s SPF Record
Check your DNS records for an existing SPF TXT record. If one already exists, you’ll update it; if not, you’ll create a new TXT record with the SPF details.
SPF uses a TXT record format like this:
v=spf1 include:_spf.freshmail.pl ~all
This line authorizes FreshMail’s servers (include:_spf.freshmail.pl) and ends with ~all, which is a soft fail for any server not included. You could use -all for a hard fail, but soft fail is generally safer during initial implementation. Adjust based on your deliverability strategy.
⚠️ Important: Ensure you have only one SPF TXT record per domain. If you mistakenly publish multiple SPF records, mail providers could return a PermError, and SPF will effectively break.
3. Add or Update the SPF Record
In your DNS provider:
- Record Type: TXT
-
Name: @ (or your root domain)
TXT Value:
v=spf1 include:_spf.freshmail.pl ~all
Save the record and allow DNS propagation (often up to 24 hours).
4. SPF and DMARC Alignment Note
Here’s a crucial insight: FreshMail’s SPF inclusion will authorize their servers, but SPF alignment (a specific requirement of DMARC) isn’t currently supported with FreshMail’s infrastructure. This means that even though SPF authorizes the mail, it may not align with your domain for strict DMARC checking. For many users, this is acceptable if DKIM is properly configured and aligned — which it can be.
Because of this, AutoSPF suggests focusing first on DKIM (for alignment) and then adding SPF primarily to authorize FreshMail’s servers.
Checking Your Setup and Best Practices
Here are a few tips to confirm everything is working and to ensure long-term email success:
Use Online Tools to Validate DNS Records
There are many SPF and DKIM checkers available online that will verify your DNS records are correct and propagating properly. These tools help identify syntax issues or missing elements early — long before delivery problems occur.
Monitor DMARC Reports
If your domain has a DMARC record, ensure you set up reporting (via rua and ruf tags) so you can get visibility into how mail from your domain is being processed worldwide.
Be Patient With DNS Propagation
DNS changes don’t happen instantly everywhere. Although many DNS providers propagate updates within minutes, it can take up to 24–48 hours to fully propagate globally.
Single SPF Record Rule
Remember: only one SPF TXT record per domain. If you need to authorize multiple mail services, merge them into a single record with multiple include statements.
